Magazine

Commentary: The Best Way to Make Software Secure: Liability

March 17, 2002

Microsoft Corp. (MSFT) is having a tough time making sure its products are free of glitches. On Feb. 21, the software giant alerted customers that it had released three fixes for gaping security holes in its Internet browser and other Web software that could allow hackers to crash Web servers or snatch files from a personal computer and send them to an attacker's machine.

Those revelations came just three weeks after developers in Microsoft's Windows division temporarily stopped writing software. Instead, the 7,000 programmers that work on the company's ubiquitous operating system and Web-server software are spending this month learning how to turn out bug-free programs, while combing products for any existing flaws.

No wonder Microsoft Chairman William H. Gates III has set security as his top priority. On Jan. 15, he sent an e-mail urging Microsoft's 50,000 employees to make their software as reliable and trustworthy as electric, water, and telephone service. Gates knows that if he wants customers to buy software and services via the Web--a key element of his vision for Microsoft--he can't afford security snafus. "Our software should be so fundamentally secure that customers never even worry about it," Gates wrote.

Bill, you're right. But you're a little late. Microsoft and other tech companies have neglected security issues for years. It's time companies that sell software with yawning security flaws or fail to secure their computer systems be held liable. Companies, or individuals, should be able to sue to recover any damages brought on by faulty programs or improperly installed security software.

Today, no one is held accountable for such lapses, and there's little incentive to improve the situation. On Jan. 8, the prestigious National Academy of Sciences, frustrated that security measures already available aren't being used, suggested lawmakers consider legislation that would end software companies' protection from product liability lawsuits.

Consider the experience of CERT, the government-funded computer security group. After trying for nine months to get computer companies to fix a flaw that could hit a multitude of networked devices, from printers to Web servers, CERT issued a public warning on Feb. 12 of a security gap. Even so, a day later the majority of the 240 companies affected had yet to contact CERT.

Much of the talk about improving computer safeguards overlooks a fundamental problem: Poorly written software is at the root of many security breaches. That's why the same mistakes keep cropping up. For example, recent problems with Microsoft's new Windows XP operating system and America Online's popular instant messaging program involved a design flaw that has been tripping up programmers for 20 years--even though tools are available to test for this vulnerability. "Software companies don't spend enough time on design and testing the product before it's made public," says Marty Linder, a security expert at CERT.

Hence, the bug hunt at the Windows division. So far, it's unclear if Microsoft will do the same with all its products. It's trying to change a culture that hasn't believed the problem was faulty software. Instead, Microsoft employees pointed the finger at users who didn't safeguard their systems. Microsoft notifies customers to update its products with software patches to take care of the latest scourge. But they left that task to users and, more often than not, it was ignored. "People didn't spend the two clicks to do it," says Craig J. Mundie, Microsoft's senior vice-president. This spring, Microsoft will unveil technology that allows Windows users to receive automatic updates each time a bug fix is available.

To date, there has been little incentive for Microsoft and other off-the-shelf software makers to do more. Why? Because they have insulated themselves by disclaiming all product liability. The courts have decided that buyers waive their right to sue after clicking the "I accept" button when they install software. "If Firestone produces tires with systemic vulnerabilities, they are liable," says Bruce Schneier, chief technology officer of Counterpane Internet Security Inc., a provider of network protection services. "If Microsoft produces software with systemic vulnerabilities, they're not liable."

A better model for improving security may be the Y2K bug. Facing the threat of widespread computer meltdowns at the millennium, industry mobilized to change business practices and governments passed laws requiring Y2K certification for tech gear. Companies underwent massive campaigns to make certain they complied because they didn't want to be held liable for damages. The Securities & Exchange Commission required corporations to provide details of their Y2K efforts in quarterly earnings reports.

There are signs that Microsoft is trying to change the way it develops software. But it won't be enough to rely on one company to get it right. To get serious about computer security, there must be accountability.

Sager writes about computer security from New York. Greene covers Microsoft from Seattle. By Ira Sager and Jay Greene